[Opendnssec-user] the 'keep' label in kasp.xml
Rickard Bellgrim
rickard.bellgrim at iis.se
Fri Mar 12 11:35:00 UTC 2010
On 12 mar 2010, at 10.51, Pierre Lebrech wrote:
> The unsigned zone is always incremented during a zone update. I thought that
> the serial number of the signed zone would not change with the use of
> the 'keep' label. But the serial still increases in the signed zone.
We 'keep' the SOA serial from the input zone. So if you update the input zone, then we also update it for the signed zone. We can only update the signatures if we can write a zone with newer SOA serial, than the previous signed zone.
With the 'keep' mode, you have to remember to continuously update the SOA serial, in order to have your signatures automatically updated. Or else they will expire. We use this mode because we have a provisioning system that generates the .se-zone every second hour, and then distribute it to our secondaries.
// Rickard
More information about the Opendnssec-user
mailing list